Prestashop < v1.4.9.0 - Blockstore module : Arbitrary file upload

2012-08-29T00:00:00
ID 1337DAY-ID-19282
Type zdt
Reporter leviathan
Modified 2012-08-29T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Prestashop < v1.4.9.0 - Blockstore module : Arbitrary file upload
# Date: 2012-08-29
# Author: leviathan
# Vendor or Software Link: http://www.prestashop.com
# Version: < 1.4.9.0 
# Category:: webapps
# Google dork: 
# Tested on: Prestashop 1.4.8.2 / Prestashop 1.5.0.13
# Demo site: 

-----
Description :

Arbitrary file upload

-----
Issue :

- create an image
- open it with text editor and add PHP code (must have a valid image mimetype after PHP injection)
- save with php extension
- go to admin panel and blockstore module configuration
- upload image
- call http://localhost/prestashop/modules/blockstore/[your filename].php

-----
Credential required :

- admin panel access with blockstore module configuration allowed

-----
Affected version :

Prestashop < 1.4.9.0
Prestashop < 1.5.0.15 (1.5 RC2) (< r16722)

-----
Solution :

update to 1.4.9.0 or 1.5.0.15

-----
Report timeline :

2012-08-02 - Found the security issue
2012-08-03 - Vendor notified
2012-08-03 - Vendor response
2012-08-06 - Fix issue on SVN (r16720 and r16722)
2012-08-24 - New release (1.4.9) with fix
2012-08-29 - Public disclosure



#  0day.today [2018-04-08]  #